Yes Cloudflare's innovation is amazing as to what they bring to the table for web performance and web security. I can imagine, they're eating into complementary competitor's bottom line a lot i.e. CDNs and smaller anti-DDOS/waf providers and not to mention hold off users' server hardware vertical upgrade paths till a lot later !

Unfortunately, OpenSSL and LibreSSL haven't implemented TLS 1.3 yet so not working with Nginx HTTPS yet.

Click to expand...

Even though it was already released in OpenSSL and could work on Nginx. Which of course is not.
It is quite useless ATM as it is not enabled by default on browsers like Chrome stable (stable 56 with tls 1.3 support) etc.

BoringSSL does have version 1.3 but, you need to patch the code to enable 1.3.

For anyone following this issue, we are working on a Chrome update that should resolve by disabling TLS 1.3 in Chrome 56. In the meantime, there are a few other workarounds you may wish to try.

To be clear, ultimately this is an issue with proxies/firewalls that are not compatible with TLS 1.3. Please continue to work with your proxy/firewall vendor to update to a version that is compatible with TLS 1.3. A future version of Chrome will re-enable TLS 1.3.

Short-term workarounds:

1) On your internal DNS server, create a temporary A record that points clients4.google.com at 64.233.186.102. Once that's in place, restart Chrome / reboot Chrome devices a few times. It may take up to 30 minutes and a few restarts but devices should get the update to stop using TLS 1.2. **Important** be sure to remove the DNS A record once this is fixed. Leaving the record in place WILL BREAK DOWN THE LINE.

2) Have the user visit chrome://flags/#ssl-version-max and set to TLS 1.2. This works for Chrome users but not if the problem is occurring on Chrome OS login screen. **Important** be sure users turn this setting back to Default after leaving it on for 1-2 hours. Otherwise the user will not be able to use the more secure TLS 1.3 in the future and is left with a less secure profile.

3) Allow Chrome to connect directly to the Internet for connections to clients4.google.com. This could be done by connecting the device to a tethered phone, using a home network connection, disabling the firewall/proxy that is breaking TLS 1.3 or routing connections to clients4.google.com around this firewall/proxy. Once Chrome is able to connect to clients4.google.com, it should receive the update to disable TLS 1.3 automatically in 1-2 hours time. Restarts may be required.